How to Understand the Privacy Policy of an Online Business

By Petar Todorovski . 7 June 2024

Data Privacy Specialist

Fact-Checked this

If you want to learn more about any company’s privacy practices, their privacy policy is a good place to start.

A privacy policy is a document that data protection laws require businesses to publish on their websites to inform users on what they do with the personal data they process.

In this guide you will learn about:

How to understand an online business’ privacy practices by looking at their privacy policy
What elements to look for in a privacy policy
Understand the elements of a privacy policy
Understand what an online business must disclose in their privacy policy
How to read and judge a privacy policy

This guide was written in plain language, aimed at regular everyday readers. No fancy legalese, so dive in and enjoy the read.

It won’t give you all the answers but will show you why a company processes personal data, what they process, and with whom they share it.

Some data protection laws have an explicit requirement for a Privacy Policy. The California Consumer Privacy Act (CCPA), for example, explicitly requires a privacy policy and lists every single element obligatory for a compliant privacy policy.

The General Data Protection Regulation (GDPR) of the EU, on the other hand, does not explicitly require one. Still, it requires businesses to provide users with information on their data operations under the transparency and accountability principles.

Unlike the CCPA, it is not explicit about the information that users should provide. Still, it is sprinkled with many requirements regarding the information a business must deliver to users about transparency and accountability.

To sum it up, business and website owners that collect and process personal data understand that a privacy policy is the most practical way to comply with the transparency requirements.

To the benefit of internet users, they can use the privacy policy as a transparency tool and look into the privacy practices of any given online business. This guide aims to show you how to read privacy policies and draw conclusions from them.

It is important to note that we assume the business is transparent about data processing, but not all privacy policies are GDPR-compliant. Companies, sometimes knowingly and sometimes unknowingly, hide some information that should be included in the privacy policy.

That would require a further investigation beyond this guide’s scope. For this purpose, we will assume that everything in the privacy policy is accurate.

We will explain to you the obligatory elements of each privacy policy and how to connect the dots between them to understand what is being done with your data.

Summary: This article provides a guide on how to understand the privacy practices of an online business by examining their privacy policy.

It outlines key elements to look for within a privacy policy and offers tips on how to effectively interpret and evaluate the information presented.

Additionally, the discussion highlights the importance of understanding the components of a privacy policy and the essential information that an online business is required to disclose.

Designed for the everyday reader, this guide is written in clear and straightforward language.

Elements of a GDPR-Compliant Privacy Policy

Each privacy policy to ensure compliance with the GDPR must contain the following elements.

1. Identity of the data controller

You have to tell your users who you are—no need to get into too much detail or write too much prose. Providing your business name, address, and state or country of incorporation would be enough.

If you run a business or a simple blog as an individual, your name, location, or email address would be enough.

2. The categories of personal data you collect and/or process

Categories of personal data can be a person’s name, alias, home address, email address, ZIP code, phone number, ID number, passport number, Social Security Number, etc.

Personal data under the GDPR also includes health data, information about private life, IP address, political views, religious views, or any other information that could be directly or indirectly linked to an individual. Therefore, anything can be a category of personal data as long as it can by itself or in combination with other data identify a person.

3. How you collect and/or process personal data

Here you should describe the methods of data processing. In most cases, either:

Users give you their data, such as when they give you their name and home address for delivery of goods, oir
You collect the data by the use of cookies and other online trackers, such as Facebook Pixel, Quora Pixel, Google Marketing tools, and so on.

4. The purposes of data processing

Transparency under the GDPR means you must disclose to users why you need their data processed. Purposes of processing may include:

Analytics purposes, such as collecting statistics about website visits with Google Analytics or website usage with Hotjar,
Marketing purposes, such as when you collect their email to send them marketing materials or track their online behavior to serve them ads relevant to such behavior,
Preferences, such as processing data to remember the language preferences of a specific website visitor,
Customer support, when you collect a user’s email address or phone number to reach out back to them to solve a customer issue,

5. With whom you share personal data

You likely use third-party tools to collect and process data, such as Google Analytics, Facebook Pixel, Hotjar, Mailchimp, and others. To process your users’ data with these tools, you must disclose that personal data to them.

Your users have the right to know with whom you share their data, and you must disclose it in your privacy policy.

6. Data subject rights

GDPR calls users data subjects. When you collect the personal data of a user, they become your data subject.

Data controllers, the business that collects data and has it processed on their behalf, owe data subjects certain rights. These rights include the right to be informed of the processing, the right to have data deleted, objection to processing, and so on.

You have to list the rights your users have in your privacy policy.

If you must comply with multiple data protection laws at once, then you have to list all the rights that each statute grants to data subjects.

For example, compliance with the CCPA requires providing information on the sales of personal information. It is unique for the CCPA and is not required by the GDPR, LGPD, PIPEDA, or other laws.

So, if you need to comply with the CCPA and all other elements, you need to add those specific to this law.

7. How can users exercise their data subject rights

Businesses must provide data subjects with the means to exercise their data subject rights, which need to be laid down in the privacy policy.

In most cases, providing an email address would be enough. Some businesses may also offer a contact form, a phone number, or any other means for exercising these rights.

8. Data transfers to third countries

Data transfers to third countries are arguably the trickiest issue for businesses that must comply with the GDPR. Transfers within the Union and to adequate countries are free, but any other transfer requires additional transfer tools and possibly protection measures.

No matter how and where you handle personal data, users have the right to know whether it is transferred to third countries and, if so, where it is being sent.

9. Children’s personal data

If you knowingly collect and process children’s data, that must be included in this document.

10. Contact information

If you have a Data Protection Officer or legal representative in the EU, their name and contact information go here. Otherwise, any means of contact with you would be enough to include in this section.

Take a look at our guide listing all GDPR fines to get a picture about the consequences of not following the GDPR.

How to Read the Privacy Policy

If you want to know how to draw the lines and complete the picture of the privacy practices of a company based on their privacy policy, first, you have to learn how to read it.

We assume that you never bother reading privacy policies and always accept cookies.

If you bother now, we are about to explain how to navigate a privacy policy and understand what GDPR wanted to make them say.

To give you an idea of what we are talking about, we’ll read the key elements of the Shopify privacy policy with you. It is a Canadian company that complies with the GDPR. Moreover, the Canadian PIPEDA (federal data protection law) is similar to the GDPR.

Does Their Privacy Policy Contain All the Essential Elements?

Companies that are serious about GDPR compliance and compliance with any other data protection law have comprehensive privacy policies.

Some do not collect too much personal data, so they have a short and simple privacy policy. That doesn’t necessarily mean they are non-compliant. They do not bother with personal data and don’t have much to communicate with you about it.

Such websites are rare, though. Most online businesses collect lots of data, including data they are unaware they collect and process.

If you notice a bunch of social media widgets on a website, that’s usually a sign of data collection.

If you are not sure what the website you visit does about your personal information, scan it for free on WebCookies.org and get the answers you need.

The scan report will also tell you with whom they share your data. An online business can’t do everything alone, so they outsource many processes to third parties, i.e., SAAS companies who manage some operations on their behalf.

In many cases, outsourcing involves sharing of users’ data. For example, sharing the IP address with Google Analytics, email addresses with Mailchimp, and so on.

Talking about the privacy policy of Shopify, they have a wonderfully designed privacy policy with all the essential elements.

In this image, you can see the sections their privacy policy has. The number of sections is smaller than described in this article, but the rest of the required information is sprinkled throughout the other policy sections.

It is written in plain language, is easy to navigate, and easy to understand. It signals that the company wants to be transparent with the users.

Moreover, they have a separate privacy policy for each group of users that uses the website or services in any way.

Check out the purposes of data processing

The section on data processing purposes unveils the motives behind personal data processing. Businesses must tell users what makes them want to collect and process data.

The most common purposes for data processing include, but are not limited to:

Provide you with products or services. They sell something, and you must provide your data, such as personal name, email address, home address, postal code, or other data they need to deliver the product or service. The execution of a contract is a lawful basis for data processing under the GDPR and doesn’t require additional consent.

Marketing/Advertising Purposes. When a business collects and processes personal data for marketing purposes, they target customers based on the data they share with third-party services.

Examples of such services are social networks. They all provide advertisers with tracking pixels. These pixels track the web pages you visit online, match that activity with the data you have shared with them through your social media profile, and serve your profile as a potential buyer to the business.

Using cookies or a pixel that could match you with more data points is part of the processing data for marketing purposes because the information is used for marketing products and services.

Analytics purposes. Virtually every website on the internet uses some analytics tool, such as Google Analytics, Plausible, Mixpanel, and others. Some of them collect personal data; others do not.

Check out which analytics tool they share data within the section where they disclose the third-party tools they use.

Preferences. Businesses may collect your personal information to adjust the website to your preferences and improve your user experience. This may include accessibility adjustments, language, and others.

These are usually useful cookies that make the user’s life easier, but they collect personal data anyway, so consent is required before using them.

These are the most common processing purposes but not the only ones. Different business activities lead to additional processing purposes, so it is impossible to include them here. However, most of them belong to these categories.
Shopify, for example, uses more descriptive language to describe its purposes.

Instead of analytics, they say “providing reporting and analytics” and “testing out features and additional services.”

Instead of executing a contract, they say “answering questions or providing other types of support” (which is part of the execution of an agreement).

Marketing purposes include “assisting with marketing, advertising, and other communications.”

Having read this, you can understand that they monitor the usage of their website because, like many other large companies, they take user experience seriously and don’t hesitate to use personal data to figure out what a specific user wants from the website.

Also, you could understand that they use tracking tools to serve you with ads with tailored messages that are likely to interest you.

Finally, they have a purpose that serves their legitimate interest (fraud prevention) and some specific to their business (help merchants find and use apps in the app store).

Check out the categories of data collected

The next you should check out is what the business needs to fulfill these processing purposes.

Fulfilling each purpose requires the processing of a certain category of personal data. So, now you need to see how data processing types relate to the purposes.

If the business collects your email address to send you a newsletter, then such a category of data relates to the purpose. Without the email address, the business could not ship you the newsletter.

If an app requires access to your photos on your smartphone to provide you with image editing services, then that is adequate for processing. But, if they request your geolocation data to provide you with an app to add filter photos, this is an obvious red flag. That app doesn’t need to know where you are at any given moment. They may use the data for something else or sell it for money.

See how Shopify solves the transparency requirement in relation to categories of data:

This table explains what categories of personal data they collect and how they use it.

Some businesses are not as transparent as Shopify, but it doesn’t mean they are not compliant. If you doubt their privacy practices, you can submit a data subject request and have your questions answered.

Where Do They Transfer Personal Data?

GDPR forbids businesses from exporting personal data to countries where data protection is below the EU protection levels unless they have a lawful basis for doing so or eventually implementing additional data security measures.

The privacy policy may mention the lawful basis and supplementary measures, but it is not obligatory. You may not be able to understand the data transfer practices of the company and which privacy policy you read.

However, you can understand whether the data is being transferred outside of the European Union or not by having a look at the third parties to whom they disclose information.

This image shows some of the third parties they use for data processing. Many of them (and all of those on the image) are headquartered in the United States, making them subject to the US laws and may mean that the data is being transferred to the US. That makes things tricky regarding the GDPR because such transfer requires supplementary protective measures.

Although the chances that the US government will intrude on your personal data suspecting that you are involved in terrorism or money laundering are small, if you are not comfortable with the transfer of your data to the US, you may want to address this with the company which privacy policy you are interested in.

Lawful Basis for Data Processing

To understand the privacy practices of a company, you also need to understand its legal bases for data processing. This is not visible from the privacy policy, though. Some businesses may state the lawful basis in the privacy policy, but that’s not obligatory, and very few do that.

GDPR allows businesses to process data only if they have a lawful basis. The lawful basis listed in Article 6 of the GDPR includes:

Explicit user consent
Performing a contract
Legitimate interests
Vital user’s interest
Public interest
Compliance with laws, investigations, etc.

The two most common lawful bases are the explicit consent and the execution (performing) of a contract.

Businesses usually obtain consent by using a cookie banner that appears on arrival allowing the user to accept or refuse the cookies by clicking on a button.

Performing a contract is a legal basis for processing when the business needs your data to execute a contract with you, such as providing a SAAS, delivering a physical product, etc. Very often, the Terms and Conditions (also called Terms of Use, or Terms of Service) are the contracts being performed.

How to Draw the Lines

To understand the privacy practices through a company’s privacy policy, you need to draw a line between the processing purposes, categories of data processed, and the third parties involved. On top of that, the business needs a lawful basis to process the data.

You need to ensure that:

The categories of data processed are aligned with the purposes of processing
The third parties’ business involves processing data for such a purpose
The business has a lawful basis for processing the data, such as your explicit consent, performing a contract, legitimate interest, or others
The data transfers to third countries are lawful, and
The company has all the essential elements of a GDPR-compliant privacy policy present in the document.

Let’s imagine that an online business has collected your email address to deliver a pdf on a subject that interests you. You gave them your email; they sent you the PDF. They also asked if they could send you their weekly newsletter with marketing offers. You ticked the checkbox.

Now they have your email address. You have the PDF and their marketing materials.

They collected and processed your data for executing a contract (sending the pdf) and marketing purposes (mailing the promo newsletter). They do not use the email address for anything else. They use Mailerlite, which is a Lithuanian company with servers in the EU.

This means they have a good purpose for processing the email address, have a lawful basis for doing so, and do not transfer data outside of Europe. That’s compliant with the GDPR and nice privacy practice.

If they upload your email address on the Facebook Lookalike Audience tool and transfer your data to the US… well, that would violate the GDPR and many other similar data protection laws.

If you sign up for Shopify, they will monitor your behavior with Hotjar to see how you use the website and make improvements when they gather enough information about that. They have a useful purpose, a third-party tool to execute on purpose and collect information on your behavior – that is all aligned and a valid privacy practice as long as they obtain your consent for collecting personal information.

In the end, it is up to you to determine whether you are satisfied with certain online business privacy practices or not. This article explained how to determine the essential points of a privacy policy to understand why and how your data flows from one server to another and gives some businesses an insight into your data, but you are the one to decide if you are happy with how they handle data.

If you cannot determine yourself, reach out to a professional.

Data privacy expert

Legal Advisor for IT Regulation - Ministry for Information Society and Administration of Macedonia

Petar Todorovski is interested in just about anything where law and technology intersect. His work includes legal consultation for companies, drafting IT-related legislation for the Macedonian government, and designing legal tech apps for a data protection management platform.

He has experience in data protection, cybersecurity, trust services, digital transformation of public services, access to justice, and writing for the internet.

He is a big advocate of automation, user-centered design, and the use of plain language in the legal industry.

Petar takes a break from law and tech by having a Crossfit workout, enjoying the outdoors, and reading smart people’s blogs.

Cookie	Duration	Description
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.

How to Understand the Privacy Practices of an Online Business Based on Their Privacy Policy